Track 3 Speakers

May 27, 10:40-11:30

Beyond Interactions: Hacking Chatbots Like a Pro 

In an era where AI-driven chatbots seamlessly integrate into our daily lives, it’s high time that we understand the risks caused by vulnerabilities associated with it. Join us on an exciting journey as we break down the complexities of AI chatbot hacking and explore the potential threats hidden below the surface. In this tech talk, we will begin with the basics of AI, then shift into the common vulnerabilities of AI chat bots, and finally deep dive into the top two vulnerable categories. Through a live hacking lab and real-world attack scenarios, we will demonstrate how an attacker leverages AI chatbot vulnerabilities to compromise user privacy, spread misinformation, and perpetrate social engineering attacks. Furthermore, we will discuss some security measures aimed at minimizing these risks, thereby fostering a more secure digital environment accessible to everyone. By the end of this talk, participants will have developed a deeper awareness of the challenges in securing AI chatbots and will be empowered with practical strategies to fortify their systems effectively. Whether you're a cybersecurity professional, AI enthusiast, or simply curious about tech and security, this talk will inform, inspire, and spark a passion for keeping AI communication safe.

Naveen Konrajankuppam Mahavishnu

Naveen is a Security Researcher with over 7 years of expertise specializing in AI, application, and cloud security. He possesses extensive knowledge in all aspects of product security, including threat modeling, DevSecOps, API security, and penetration testing. He is passionate about integrating security into the SDLC from design to deployment, ensuring the early detection and mitigation of vulnerabilities.


Mohankumar Vengatachalam

Mohan is a security leader with over a decade of experience in security architecture, engineering, and operations. He has a strong interest in developing security programs and a proven track record of creating proactive security roadmaps and strategies aligned with business objectives. He constantly seeks ways to elevate security processes and culture to the next level.


May 27, 11:40-12:30

Give me the damn Model for Threat Hunting

A Machine Learning Approach to Threat Hunting in Endpoint and Network Logs The talk will introduce Jupyter Notebooks for large-scale threat hunting. Rather than looking at vast data in a traditional tabular format, we will explore the effectiveness of visualizations, emphasizing graphs, to identify and investigate outliers. The primary area of focus would be Anomaly Detection applied to substantial volume of data to generate Alerts for SOC based on Windows Sysmon Endpoint Logs and Zeek/Suricata Logs.

In this talk, we will identify the anomalies in an environment without ingesting the data into a SIEM or an intelligent application, simply by using a Jupyter Notebook The potential of extracting patterns and deriving meaningful insights from data is vast. And hence, Introducing a detection engineering strategy using Machine Learning and Visualizations to Hunt for Threats in Endpoint and Network Logs. Furthermore, the same strategy could be extended to Hunt for threats in Cloud Environments such as AWS and Azure. The capability of detecting Outliers in an environment within few minutes and converting those into highly effective Alerts with minimal True Positives will be explored in this presentation.

Kai Iyer

Kai is a Senior Security Engineer at EY's Cyber Threat Management team and manages Applied Machine Learning Research and Security Engineering. He holds multiple certifications and has extensive knowledge in various domains, including Web-App Development, Data Science, Incident Response, DevSecOps and Purple Teaming. He is also an advocate for open source software and data privacy. He dreams of a world where no one clicks on phishing e-mails.


May 27, 1:30 - 2:20

Guardians of Cybersecurity: Deploying IoT devices via Drones and Dropboxes

Alex and Brad's fascination with drones further catalyzed this integration, giving birth to "The Raccoon Squad". This initiative features two groundbreaking devices: the 'Flying Raccoon', representing airborne reconnaissance and intrusion, and the 'Sneaky Raccoon', epitomizing ground-level stealth operations. Through this exploration, we gain insights into the future of integrated security solutions that seamlessly blend digital prowess with tangible, real-world applications.

Alex Thines

Alex began his journey as a blue team analyst, he dove into the world of programming. As he sharpened his coding skills, he found not only an enhanced ability to hack but also a newfound love for programming itself. The synergy between hacking and coding intrigued him, urging him to merge the two. As a way for Alex to destress, he picked up flying FPV (First Person View) drones and quickly realized another potential use for his hobby.


Brad "Sno0ose" Ammerman

An adept cybersecurity expert, proficient in ethical hacking and leading teams of skilled hackers. As a speaker, educator, and mentor, Brad is committed to sharing knowledge and safeguarding others. His experience is further enriched by his background as a veteran. Outside of his professional life, he takes great pride in being a devoted husband and father.


May 27, 2:30-3:20

Bypassing Next Generation Firewalls’ Layer 7 Application Policy

As a security community and hackers, our major focus is usually on vulnerabilities affecting operating systems and software running on devices. Not so often do we put a light on protocols we have been using for years or practices we have been following. Then eventually, one day, we may realize that some expensive security solutions we trust for our security may extensively rely on some simple assumptions at core. In this presentation, starting with a real-life incident example, Ali will shed light on how common IDS/IPS detection engines rely on the fact that, malicious or not, all networking applications would follow the same logic flow at the socket programming level. Then, by thinking outside of the box, Ali will demonstrate how, by making a small change in the application, malicious traffic can avoid being detected by IDS/IPS engines and therefore bypass Next Generation Firewall’s Layer 7 Application Policy rules. A PoC tool written by Ali will be used to demonstrate a successful reverse shell connection and file exfiltration being performed over some well-known NGFWs despite their Layer 7 application block policies in effect. Following the demo, there will be some suggestions for defenders on how to detect such suspicious traffic as well as how to remediate this issue. The PoC tool will be published following the presentation.


Ali Efe is a seasoned penetration tester at IBM X-Force Red helping organizations to secure their networks and applications. With over 7 years of cybersecurity expertise and a decade of hands-on experience in application development and computer networks, he is a dedicated professional committed to securing digital landscapes through ethical means. 

Twitter/X: @0xAefe


May 27, 3:30-4:20

Beyond Code: Reinforcing CI/CD Pipelines Against Emerging Threats

As modern software development practices evolve, CI/CD pipelines have emerged as a potent, yet under-secured frontier. This has resulted in a shift in focus from attackers, who are exploiting the traditionally overlooked vulnerabilities in the development pipelines. In this presentation, we'll dive into the top CI/CD security risks as identified by OWASP. We'll look at how each attack can be performed, explore potential impacts, and the motives of bad actors. This talk will provide you with pragmatic strategies to strengthen your CI/CD security posture. Join us to transform your CI/CD pipeline from a potential vulnerability into a cornerstone of your security infrastructure.

Farshad Abasi

Farshad Abasi is an innovative technologist with over twenty four years of experience in software design and development, network and system architecture, cybersecurity, management, and technical instruction. With a keen interest in security from the start, he has become an expert in that aspect of computing and communication over the last twenty years. He started Forward Security in 2018, with a mission to provide world class information security services, particularly in the Application and Cloud security domains. Prior to creating Forward, he was a senior member of HSBC Group's IT Security team with the most recent positions being the Principal Global Security Architect, and Head of IT Security of the Canadian division. Farshad is continuing an eighteen year stint as an instructor at BCIT where he shares his passion for information and network security, helping others build a career in this exciting field. He is also the security correspondent for CFAX radio, BSides Vancouver/MARS board member, Vancouver OWASP chapter lead, a CISSP designate, and a UBC CS alumnus.


May 27, 4:30-5:20

We Taught Burp to Speak GraphQL: Automated Security Scanning of Your GraphQL API with Burp 

Rest APIs have been the backbone of webapps for over a decade now, and it’s treated us well. Inevitably, a challenger has approached and is gradually becoming the new industry standard. That is GraphQL, a query a language for your API. But shifts in tech trends also bring another inevitability, new and interesting ways to hack stuff. GraphQL is a growing target, and the pentesting tools have yet to keep up, leaving the criminals with more time and opportunity to probe and exploit vulnerabilities in your web apps. Burp Suite has been the defacto tool for Application Security professionals running DAST scans and penetration tests against web apps, and it’s amazing Active Scan feature badly needed to be able to parse GraphQL. Our new plugin for Burp Suite allows the Active Scanner to competently point it’s library of payloads at a GraphQL API, giving the defenders a chance to detect vulnerabilities before the criminals do.

Jared Meit

Jared Meit, OSWE, has always had a passion for taking things apart, learning how they work, and forgetting how to put them back together. He was a professional software developer for 12 years before shifting his focus to Application Security 5 years ago. His dev experience allows him to create tools that developer's will actually want to use.